Page 17 - ITGC_Audit Guides
P. 17
Common instances might include a business unit purchasing and/or using applications or
programs (e.g., an Excel macro), platforms, or infrastructure as a service to better meet their
perceived needs but failing to consult IT leadership and/or follow appropriate governance
protocols prior to proceeding with implementation. Whether or not the proper protocol is
deliberately avoided, this indicates poor IT governance and a less than optimal relationship
between the business function and IT. Business units within an organization should work together
with IT to ensure the entire organization follows an established process for assessing,
onboarding, and managing hardware and software.
The organization perceives IT as an impediment to selecting the best solution or
optimizing the sourcing of an IT service. The potential tension between the IT function and
business function as to what is best delivered internally versus externally can be a major
challenge. One method to overcome this challenge is for IT to indicate the cost or assign fees
and an ROI (cost savings potential) for their services and consultation. Granting the internal
IT organization the ability to complete a request for proposal (RFP), just as an external
vendor, allows the organization to have a side-by-side comparison for their choice of working
with an external provider’s solution or service versus choosing an in-house solution or
service.
The technology solutions in use are obsolete or poorly maintained. Ensuring that
software and infrastructure components are up to date and supported are essential for
reliable IT operations. Business and IT functions should cooperate to establish adequate
maintenance windows to ensure updates, patching, and other critical refresh activities are
funded and performed in a timely manner. Failure to keep technology up to date can result in
"technology debt”: a lack of IT investment, either financial or in upgrades, that contributes to
inefficiencies, risks (particularly around information security), or lost opportunities that can
build up over time. Unrecognized levels of technology debt can lead to uninformed decisions,
and is often the root cause of operational or strategic issues. It is possible for technology debt
to be accepted, planned, or even built, but when doing so, the risks and impacts should be
formally understood and accepted by appropriate management.
Lack of clarity and/or ownership of formal IT risk. Organizations may view IT-related risks
as the responsibility of the CIO or IT function. However, most IT-related risks ultimately are
owned and should be accepted by the appropriate business function. With the proper
understanding of who owns and takes responsibility for risks, the business function is more
apt to fund IT risk mitigation efforts and partner with IT in creating value and optimizing
decisions.
Inefficient or ineffective project governance or management. Business-critical IT projects
should be completed on time, in scope, and on budget. Project governance is critical to
ensure all projects are appropriately prioritized and resourced, and delivered timely and
effectively. Project management helps ensure critical project aspects are transparent to all
stakeholders, giving those responsible a clear and accurate understanding of project status,
issues, risks, and deliverables. It also means that "scope creep," or the tendency for a
project’s requirements to increase over time, is effectively managed.
From an internal audit perspective, involvement in the entirety of key projects ― from business
case development through project monitoring and final delivery — can be a critical success factor
9 — theiia.org
